- name: kubernetes.certmanager.certificate
  rules:
  - alert: CertmanagerCertificateExpiredSoon
    expr: |
      max by (name, exported_namespace) (certmanager_certificate_expiration_timestamp_seconds{job="cert-manager"} - time() < 1209600)
    for: 1h
    labels:
      severity_level: "4"
    annotations:
      plk_protocol_version: "1"
      plk_create_group_if_not_exists__cluster_has_expiring_certificates: ClusterHasCertmanagerCertificatesExpiringSoon,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      plk_grouped_by__cluster_has_expiring_certificates: ClusterHasCertmanagerCertificatesExpiringSoon,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      description: The certificate {{$labels.exported_namespace}}/{{$labels.name}} will expire in less than 2 weeks
      summary: Certificate will expire soon

  - alert: CertmanagerCertificateExpired
    expr: |
      max by (name, exported_namespace) (certmanager_certificate_expiration_timestamp_seconds{job="cert-manager"} - time() < 0)
    for: 1h
    labels:
      severity_level: "4"
    annotations:
      plk_protocol_version: "1"
      plk_create_group_if_not_exists__cluster_has_expired_certificates: ClusterHasCertmanagerCertificatesExpired,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      plk_grouped_by__cluster_has_expired_certificates: ClusterHasCertmanagerCertificatesExpired,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      description: Certificate {{$labels.exported_namespace}}/{{$labels.name}} expired
      summary: Certificate expired

  - alert: CertmanagerCertificateOrderErrors
    expr: |
      sum by (scheme, host, path, status) (
        rate(
          certmanager_http_acme_client_request_count{status!~"2[0-9][0-9]"}[5m]
        )
      ) > 0
    for: 30m
    labels:
      severity_level: "5"
    annotations:
      plk_protocol_version: "1"
      plk_create_group_if_not_exists__d8_cert_manager_malfunctioning: D8CertmanagerMalfunctioning,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      plk_grouped_by__d8_cert_manager_malfunctioning: D8CertmanagerMalfunctioning,tier=~tier,prometheus=deckhouse,kubernetes=~kubernetes
      summary: Certmanager cannot order a certificate.
      description: |
        Cermanager receives responses with the code `{{ $labels.status }}` on requesting {{ $labels.scheme }}://{{ $labels.host }}{{ $labels.path }}.

        It can affect certificates ordering and prolongation. Check certmanager logs for more info.
        `kubectl -n d8-cert-manager logs -l app=cert-manager -c cert-manager`
